Headline
CVE-2019-16159: BGP: Fix bugs in handling of shutdown messages (1657c41c) · Commits · labs / BIRD Internet Routing Daemon
BIRD Internet Routing Daemon 1.6.x through 1.6.7 and 2.x through 2.0.5 has a stack-based buffer overflow. The BGP daemon’s support for RFC 8203 administrative shutdown communication messages included an incorrect logical expression when checking the validity of an input message. Sending a shutdown communication with a sufficient message length causes a four-byte overflow to occur while processing the message, where two of the overflow bytes are attacker-controlled and two are fixed.
Commit 1657c41c authored Sep 09, 2019 by
Browse files
BGP: Fix bugs in handling of shutdown messages
There is an improper check for valid message size, which may lead to stack overflow and buffer leaks to log when a large message is received.
Thanks to Daniel McCarney for bugreport and analysis.
Pipeline #52336 passed with stages
in 5 minutes and 6 seconds
- Changes 1
- Pipelines 1
…
…
@@ -1539,7 +1539,7 @@ bgp_handle_message(struct bgp_proto *p, byte *data, uint len, byte **bp)
return 1;
/* Handle proper message */
if ((msg_len > 255) && (msg_len + 1 > len))
if (msg_len + 1 > len)
return 0;
/* Some elementary cleanup */
…
…
@@ -1555,7 +1555,7 @@ bgp_handle_message(struct bgp_proto *p, byte *data, uint len, byte **bp)
void
bgp_log_error(struct bgp_proto *p, u8 class, char *msg, unsigned code, unsigned subcode, byte *data, unsigned len)
{
byte argbuf[256], *t = argbuf;
byte argbuf[256+16], *t = argbuf;
unsigned i;
/* Don’t report Cease messages generated by myself */
…
…